Cybersecurity Spending: How Much is Enough?

Any C-Suite Executive has asked the following question: Do I spend another dollar on cybersecurity instead of putting that money towards improving my customer’s experience?

C-Suite Executives routinely turn this question over to my team for answers. A common theme that we report back is: cybersecurity as we know it is fundamentally broken. Technologies that were cutting-edge two decades ago are not designed to meet the threats of today – or tomorrow. Too often, companies are searching for a silver bullet for their cybersecurity problems, but comprehensive solutions simply do not exist today out-of-the-box. We know something is wrong with our cybersecurity approach when the Global Cost of Cybercrime is predicted to double from the 2015 level and hit $6 Trillion Annually by 2021.

Answering the question of “how much is enough,” requires an approach for right-sizing a cybersecurity program for the individual risk profile of the organization. This starts with an approach that blends old and new techniques. Older techniques include performing a traditional risk assessment against the NIST Framework or other industry frameworks. Newer and more innovative techniques are based in designing cybersecurity capabilities that behave like and anticipate the adversary and shifts the organizations away from defense. A purely defensive strategy is a losing strategy: for every defense you put in the path of a cybercriminal, they will find a way to get around it to disrupt an event or grab data.

I want to add a special emphasis to an often overlooked and misunderstood new technique – the use of open source intelligence, or OSINT. When you target your own organization as if you are the adversary, you can identify the information leaking out of your vendors’ connections or through your technology before cybercriminals use that same intelligence to launch an attack against your organization.

We suggest the following approach to C-Suite Executives:

Assess: Executives should direct the company to conduct a traditional risk assessment. The NIST Framework and other industry frameworks are suited for this purpose. We suggest that Executives ensure the assessment identifies critical digital assets and information and how those assets are protected. The result should be a prioritized and short list of the most critical risks facing your company, which should be considered for remediation, transfer or acceptance.

Remediate: The “assess” step is the easiest step - policymakers have done tremendous work to provide businesses of all sizes and industry sectors with tools and frameworks for assessing risk. Executives quickly learn that after the assessment is done, there are fewer standardized implementation frameworks to rely on.

One of the biggest ways C-Suite Executives can promote a comprehensive view of security is to require prioritized implementation plans for the risks identified during the “assess” phase that map out suggested first, second, and third technical steps to help them implement or transform their security programs over time. This approach typically results in low cost initiatives in the first steps that build maturity within an organization, positioning it for more strategic investments.

Proactively Monitor and Defend: While the previous steps help Executives implement or transform cybersecurity programs, this final step is crucial for tailoring day-to-day operations to keep pace with cybercriminals. Thinking - and acting - differently about cybersecurity is the only way we can defend against and defeat our adversaries. This new way of thinking starts on the cybersecurity operations floor where teams should be continuously “hunting” for active threats against the network, mining and analyzing potential threats, and applying defenses accordingly. Organizations should also employ OSINT arms designed to monitor for activity related to their equities and VIP personnel on the internet, dark web, and other sources--this is the kind of reconnaissance adversaries are actively performing and using to exploit organizations.

To put this all into operation, executives can start by considering the following five questions:

Do we track our organization, physically and digitally (like an adversary would), using OSINT techniques?

For large physical events or concentrated places of work or travel for our Executives, have we set up geofenced locations, and do we monitor for chatter that could be targeting the people or our critical data?

Have we defined the top two assets that would destroy us if they were stolen or compromised? Have we made sure all human and technology processes ask about those two assets first?

What’s our worst digital and worst physical nightmare? Do we have a disaster plan to address these?

When is the last time we got all relevant parties together to conduct a tabletop exercise against our worst nightmare? If there are multiple stakeholders, do we have a simple, straightforward memorandum of understanding in place to define roles and responsibilities?

Working through the above steps provides tangible data points that Executives can use to develop the right cybersecurity program and capabilities for the company’s individual risk profile, and ultimately what that will cost. Each business is born from an idea to solve a customer’s needs and most of the security solutions today have not proven that they exist to help you serve your customers’ needs. It’s time for a new approach.